Application Registration Configuration
The Configuration tab gives application administrators a guided workspace for changing the Microsoft Entra application registration without switching to the Entra portal. It covers redirect platforms, supported accounts, authentication behavior, app roles, exposed API scopes, and trusted pre-authorized clients.
Availability and Access
A tenant administrator controls whether registration configuration is available. Open Tenant Administration → Application Settings → General, enable Registration Configuration, and save the tenant settings. The Configuration tab is then available on managed application detail pages in both the WebUI and WA experiences.
• The application must already be managed by AZExecute and must still resolve to an Entra application registration.
• Tenant administrators and application administrators can save changes when they have management access to the application.
• Users who may view an application without managing it see the same configuration in read-only mode with an explanation that saving is restricted.
• AZExecute must have sufficient Microsoft Graph application-management permissions and ownership of the Entra application registration.
How the Workspace Is Organized
Open an application, select Configuration, and use the vertical navigation to move between five focused areas. Summary chips show the supported-account model and the current number of redirect URIs, app roles, and exposed scopes.
1. Redirect URIs — configure return addresses separately for Web, single-page, and public-client platforms.
2. Supported accounts — choose which Microsoft identity audiences can use the application.
3. Authentication settings — configure home and logout URLs, public-client behavior, and legacy browser token flows.
4. App roles — define role claims for users, groups, applications, or both.
5. Expose an API — configure identifier URIs, access-token version, delegated scopes, and pre-authorized clients.
Redirect URI Configuration
Redirect URIs are grouped by Microsoft identity platform type because the platform controls authentication and token behavior, not just how the address is displayed. Register each callback under the platform that actually performs the sign-in flow.
Web
Use Web for confidential, server-hosted applications such as ASP.NET Core, Java, or Node applications that can safely keep a client secret or certificate. Web redirects accept HTTPS. HTTP is accepted only for loopback/local development addresses.
Single-page application
Use this platform when authentication runs in browser code, including JavaScript and WebAssembly clients using authorization code with PKCE. Do not place a server callback here simply because it shares the same public hostname.
Mobile and desktop applications
Use this platform for native desktop, mobile, CLI, device, or other public clients that cannot safely store a secret. Loopback addresses and custom URI schemes are supported. The shortcut Add Microsoft native client redirect adds https://login.microsoftonline.com/common/oauth2/nativeclient when it is not already present.
Supported Account Types
Supported accounts control the application registration's sign-in audience. Changing this setting can affect issuer validation, tenant onboarding, token endpoints, and which identities your application must handle.
• Accounts in this organization only: single-tenant use for identities and workloads in the current Entra tenant.
• Accounts in any Microsoft Entra organization: multitenant organizational accounts; each consuming tenant must establish the required service principal and consent.
• Accounts in any organization and personal Microsoft accounts: accepts organizational and consumer Microsoft identities.
• Personal Microsoft accounts only: excludes organizational work and school accounts.
Authentication Settings
Web application URLs
• Home page URL is the optional application landing page. It must be an absolute HTTP or HTTPS URL.
• Front-channel logout URL receives a sign-out notification from Microsoft Entra. It must also be an absolute HTTP or HTTPS URL.
Public client flows
Allow public client flows marks the registration as a fallback public client. Enable it only when an installed application cannot securely retain a secret. A normal server application should remain a confidential client.
Implicit grant and hybrid flows
Access-token and ID-token issuance switches support applications that explicitly depend on legacy implicit or hybrid flows. New browser applications should use authorization code with PKCE. Enabling these switches is not required simply because the application has an SPA redirect URI.
App Roles
App roles define authorization values emitted in the roles claim. They can represent permissions for a signed-in user or group, application-only permissions for a workload, or a role that supports both scenarios.
• Display name is the administrator-facing role name.
• Token value is the stable value application code checks, for example Orders.Read.
• Description explains the access granted and is required by Entra.
• Users and groups allows assignment to interactive identities. Applications allows app-only assignment. At least one member type is required.
• Role enabled controls whether the role is available for new use.
Expose an API
Application ID URIs
The identifier URI is the API's logical identifier, scope prefix, and token audience. Most APIs need one value such as api://<client-id>. Microsoft Graph supports a collection of identifier URIs for advanced compatibility scenarios even though the Entra portal normally presents a single editor. Values must be absolute, unique, and appropriate for the registration's supported-account model.
Access token version
Choose the tenant default, version 1, or version 2 token format. Prefer the tenant default unless the API validates a specific format. Version 2 is mandatory when personal Microsoft accounts are supported.
Delegated permission scopes
Delegated scopes are permissions requested on behalf of a signed-in user. For application-only authorization, create an app role that allows Applications instead.
• Scope value is the stable value requested by a client, for example access_as_user. Scope values must be unique.
• Who can consent selects administrators only or administrators and users.
• Admin consent display name and description are always required.
• User consent display name and description are optional. Leave them empty when administrator-provided consent text is sufficient.
• Scope enabled controls whether the scope is available for clients.
Pre-authorized client applications
Pre-authorization allows a trusted client to use selected delegated scopes without another user consent prompt. Add a client, search the autocomplete by application name or client ID, select another AZExecute-managed application, and choose one or more enabled scopes.
• The picker reads managed applications from the tenant database; it does not search every application in Entra.
• The API currently being configured is excluded, and an application already selected in another row is not offered again.
• Every client requires a valid application (client) ID and at least one exposed scope.
• A pre-existing Graph client that is not managed by AZExecute remains visible as an unmanaged application so loading and saving does not silently discard it.
Validation, Saving, and Entra Propagation
Changes remain local to the page until Save configuration is selected. Discard reloads the current registration from Microsoft Graph and removes unsaved changes.
1. The client validates required fields, URI formats, duplicate values, member types, scope references, and token-version compatibility.
2. The backend repeats the same validation before writing to Graph. Whitespace is trimmed, blank optional values are normalized, and duplicate URIs are collapsed case-insensitively.
3. If the registration changed in Entra after it was loaded, the save is rejected as a concurrency conflict instead of overwriting the newer configuration. Discard or reload before trying again.
4. During a valid save, the page displays Updating Microsoft Entra while AZExecute writes the change and reads Graph until the updated values are observable.
5. On success, the page replaces its local state with the confirmed Graph result and shows a success notification. Validation, authorization, Graph, or propagation failures are shown through the standard detailed notification.